Looks like its time to blow the dust off and get a new post out, partly to make sure I am not cornered by the living Wizard of Blog, Jim Groom, and partly to talk about one of my favorite topics: Open source security. I have a couple different applications I am going to talk about in regards to this, but I feel like I should address the title of this blog first and foremost.
In my pursuit of security tools for a small team that don’t break the bank, I have found myself turning quite often to the goodwill of others (otherwise known as open-source). These tools are often to run on Reclaim’s infrastructure, mainly to protect webhosting and applications that need to be accessed publicly. This led to me the title of this post, of which I am quite proud of, as these web applications are a lot of the time ‘naked & afraid’, out in the open, and must be secured by security software like WAFs and other tools. A guide of sorts for small teams and individuals looking to secure things that by nature run in the Open.
Security Incident & Event Management
One of the first tools I want to talk about is one of my favorites, Wazuh. Wazuh is a open source SIEM/XDR platform that can provide endpoint response, threat intelligence, security operations, and cloud security. It is a fork of OSSEC, and runs on Opensearch instead of something like Elastic (which I personally really like). The way we use it is for log analysis, threat hunting, policy monitoring, vulnerability scanning and as our IPS solution. It is a truly deep program provided completely for free (though you can cloudhost with them for a fee) that I very much recommend you look at.
Another SIEM tool is Graylog, which I personally have not used but I learned about during my bachelors. I can’t speak much on it, but it provides similar capabilities as Wazuh. An honorable mention here is Security Onion, which can be a monster of a SIEM with some tweaks and additional tools.
Threat Intelligence and Automation
Let’s talk threats and security automation. There are some really wonderful open-source tools here, the first of which I want to talk about is Shuffle. Shuffle is a security orchestration and automation tool that can integrate via API with all the other tools I mention in this post, and is great at ‘if this, do that’ responses. It’s got a really cool node-based editor for setting these things up too. I really recommend hosting it and playing with it a bit, as its fully free when self-hosted.
I’d like to discuss both MISP and TheHive here as well, as these are great threat intelligence tools that work wonderfully together. These definitely dive a bit more into incident response/threat research territory, but can still be used in your average setup if that sort of thing is needed. They can work really well with honeypots/honeynets too, which I’ll mention later.
MISP at its core is meant to simplify and store IOC’s, or indicators of compromise, and allow you to organize this information and respond to it. These IOC’s can come from your SIEM, and then can be routed to the TheHive (or come from the TheHive) and store all the information in a organized cyber incident case file. These tools are way to advanced to go super in-depth on here, but again I really recommend downloading these and trying them for yourself.
Web Application Firewalls
Alright, the meat and potatoes of modern web defense. A WAF is most likely your foremost line of defense at the application layer and protects your site against bots, XSS, SQL injection, and a whole host of other bad things scurrying around the internet. There are a few options here, though none I have ever used in production. As I have never used them, I am going to list them with a short summary and recommend that you download them and try them out like before!
The first is open-appsec, which is a machine-learning fueled WAF. This means it is theoretically preemptive, and can block things without an actual threat signature (like zero days). Although I have never used it, I am definitely going to spin this up and give it a go for sure.
The second WAF is Portmaster, which I have heard of but again never used. It seems to be a WAF meant for your computer in specific and not as a server-based agent, which is quite cool but outside my specific usecase.
Honeypots
I only really have one I want to talk about here because it is such a good tool that I haven’t found the need for anything else, and that is T-Pot. T-Pot is an all-in-one multi-honeypot platform, and can be used for a super wide range of usecases. If you are looking for a open-source honeypot, I would look no further. It supports 20+ honeypots and maps all the data into an ELK stack for you, it’s very cool.
That’s all the tools I have to talk about today, but if you have any questions feel free to leave me a comment!
Leave a Reply